Implement or review Web2 wallet-based auth (SIWE/EIP-712) with nonce+expiry+anti-replay, ERC-1271 support, rate limiting, and safe logging. Use when touching login/session/authz endpoints or any signature verification off-chain.
Implement or review Web2 wallet-based auth (SIWE/EIP-712) with nonce+expiry+anti-replay, ERC-1271 support, rate limiting, and safe logging. Use when touching login/session/authz endpoints or any signature verification off-chain.
Web2 Wallet Auth (SIWE/EIP-712 + ERC-1271)
When to use
Any change to: login routes, session issuance, signature verification, nonce storage, auth middleware, or endpoints that accept wallet identities.
Any addition of privileged Web2 roles (admin/ops/keeper) or routes that accept IDs from the client.
Goal (Definition of Done)
✅ Login is replay-safe (nonce + expiry + one-time use).
✅ Verification supports both:
EOA signatures (ECDSA)
Smart wallets (ERC-1271 via eth_call isValidSignature)
✅ Domain + chainId are validated.
✅ AuthZ prevents IDOR (deny by default; ownership checks).